CVE-2025-22074 in Linuxinfo

Summary

by MITRE • 04/16/2025

In the Linux kernel, the following vulnerability has been resolved:

ksmbd: fix r_count dec/increment mismatch

r_count is only increased when there is an oplock break wait, so r_count inc/decrement are not paired. This can cause r_count to become negative, which can lead to a problem where the ksmbd thread does not terminate.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/15/2026

The vulnerability identified as CVE-2025-22074 resides within the Linux kernel's ksmbd subsystem, which provides SMB/CIFS file sharing capabilities for Linux systems. This issue represents a critical synchronization flaw that affects the kernel's handling of oplock break operations within the ksmbd implementation. The vulnerability stems from an inconsistent increment and decrement operation on the r_count variable, which serves as a critical counter for tracking active operations within the SMB server implementation.

The technical flaw manifests when the ksmbd subsystem processes oplock break requests from SMB clients. The r_count variable is designed to track the number of operations that are currently waiting or active within the system. However, the implementation contains a logical error where r_count is only incremented during specific conditions related to oplock break waits, while the decrement operations occur under different circumstances. This mismatch creates a scenario where the counter can become negative, indicating a fundamental inconsistency in the subsystem's state management. The negative r_count value represents a corrupted internal state that can cause unpredictable behavior in the kernel's thread management system.

The operational impact of this vulnerability extends beyond simple counter corruption, as it directly affects the ksmbd thread lifecycle management. When r_count becomes negative due to the mismatched increment/decrement operations, it creates a condition where the ksmbd thread fails to properly terminate its execution cycle. This thread termination failure results in resource leaks where kernel threads remain active and consume system resources indefinitely. The vulnerability can lead to progressive resource exhaustion, system instability, and potential denial of service conditions that affect the entire SMB file sharing service. Attackers who can trigger the specific conditions leading to this counter mismatch may be able to cause persistent resource consumption and service disruption.

Mitigation strategies for CVE-2025-22074 should focus on patching the kernel to correct the r_count increment/decrement logic within the ksmbd subsystem. The fix requires ensuring that every increment operation has a corresponding decrement operation, maintaining proper counter balance throughout all execution paths. System administrators should prioritize updating their kernel versions to include the patched implementation that resolves the synchronization issue. Additionally, monitoring systems should be implemented to detect anomalous thread behavior or resource consumption patterns that might indicate the presence of this vulnerability. The vulnerability aligns with CWE-665 improper initialization and CWE-129 improper validation of array indices, while the thread termination failure pattern corresponds to ATT&CK technique T1489. The issue represents a classic race condition problem where improper synchronization leads to system instability and resource management failures within kernel-space SMB implementations.

Responsible

Linux

Reservation

12/29/2024

Disclosure

04/16/2025

Moderation

accepted

CPE

ready

EPSS

0.00176

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!